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Abstract: User authentication and key management are two important security issues in 
WSNs (Wireless Sensor Networks). In WSNs, for some applications, the user needs to 
obtain real-time data directly from sensors and several user authentication schemes have 
been recently proposed for this case. We found that a two-factor mutual authentication 
scheme with key agreement in WSNs is vulnerable to gateway node bypassing attacks and 
user impersonation attacks using secret data stored in sensor nodes or an attacker's own 
smart card. In this paper, we propose an improved scheme to overcome these security 
weaknesses by storing secret data in unique ciphertext form in each node. In addition, our 
proposed scheme should provide not only security, but also efficiency since sensors in a 
WSN operate with resource constraints such as limited power, computation, and storage 
space. Therefore, we also analyze the performance of the proposed scheme by comparing 
its computation and communication costs with those of other schemes. 
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1. Introduction 

A wireless sensor network (WSN) is composed of a number of sensors (tens to thousands) that are 
deployed to collect data in a target area [1,2]. The number of potential applications for WSNs is 
increasing in various fields, including environmental monitoring, healthcare, agriculture, 
manufacturing, military sensing and tracking, and disaster alert [1-5]. The design of a specific WSN is 
dependent on the given application and the environment under which it operates [1]. In addition, 
sensors in a WSN operate with resource constraints such as limited power, computation, and storage 
space [1,3,6-8]. In WSNs, user queries are generally transmitted to the gateway [1,3,8,9]. However, 
for some applications, the user needs to obtain real-time data directly from sensors [1,3,8,9]. In this 
case, only legitimate users should be able to access the WSN. 

Several schemes for user authentication in WSNs have been proposed recently. Wong et al. [10] 
proposed a user authentication scheme that uses only one-way hash functions for computation 
efficiency on sensor nodes [10]. However, Das [3] pointed out that Wong et aV% scheme does not 
prevent many logged-in users with the same login-ID threats and stolen- verifier attacks [3]. Das [3] 
proposed a two-factor user authentication in WSNs using a smart card and a password instead of 
maintaining a password/verifier table [3]. Other researchers, however, pointed out that Das' scheme 
still has security flaws. Chen and Shih [11] insisted that Das' scheme does not provide mutual 
authentication, and proposed a mutual authentication scheme between the user, the gateway, and the 
sensor node [11]; He et al. [9] said that Das' scheme has security weaknesses against insider attacks 
and impersonation attacks [9]; and Khan and Alghathbar [4] pointed out that Das' scheme 
is vulnerable to gateway node bypassing attacks and privileged-insider attacks [4]. In 2012, 
Vaidya et al. [12] pointed out that the schemes proposed by Das [3], Kan and Alghathbar [4] and Chen 
and Shih [11] are all insecure against stolen smart card attacks and sensor node impersonation attacks 
with node capture attacks and do not provide key agreement [12]. Therefore, they proposed a novel 
two-factor mutual authentication and key agreement scheme to prevent these attacks. In addition, they 
insisted that computational costs for gateway and sensor nodes in their proposed scheme are not so 
high. However, we found that their proposed scheme still has security flaws. 

In this paper, we present that gateway node bypassing attacks and user impersonation attacks are 
possible using secret data stored in a sensor or an attacker's own smart card in Vaidya et al. 's scheme. 
Additionally, we propose an improved scheme that eliminates such security weaknesses from 
Vaidya et al.'s scheme. We verify that the proposed scheme is secure against possible attacks. We 
also analyze the performance of the proposed scheme by comparing its computation cost and 
communication cost with those of other schemes. 

The remainder of the paper is organized as follows. Section 2 presents a review of Vaidya et al.'s 
scheme. Section 3 is devoted to analyzing the security of Vaidya et al.'s scheme. Section 4 proposes 
the improved scheme. Section 5 analyzes the security of the proposed scheme against possible attacks. 
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Section 6 is devoted to analyzing the perfomiance of the proposed scheme and Section 7 concludes 
this paper. 

2. Review of Vaidya etaV% Scheme 

There are three communication parties in Vaidya et aVs scheme [12]: a user, a gateway node, and a 
sensor node. This scheme is composed of four phases: registration phase, login phase, authentication-key 
agreement phase, and password change phase. We describe each phase in detail in Sections 2.1-2.4, 
and Table 1 shows the notations used in the remainder of the paper. 

Table 1. Notations [12]. 



Symbol Description 



Ui i-th user 

Sj y-th sensor node 

GW Gateway node 

IDi Identity of Ui 

pWi Password of Ui 

SIDj Identity of 5y 

IDs Identity of smart card 

K Secret key known to only GW 

Secret value generated by GW and shared between only GW and Sj 

h(-) One-way hash function 

RNi Random nonce of f/; 

RNj Random nonce of Sj 

© XOR operation 

II Concatenation operation 

=?, <? Verification operation 

Kg Session key 

/(x, k) Pseudo-random function of variable x with key k 

Ti,Ti' Current timestamp of Ui 

Tq,Tq' Current timestamp of GW 

Tj Current timestamp of Sj 

AT The maximum of transmission delay time permitted 

f ^ Secure channel 
Insecure channel 



Registration phase begins when the user sends a registration request with his/her identity and a 
hashed password to the gateway node. Then, the gateway node personalizes a smart card for the user 
and sends it to him/her as a response to the registration request. In the registration phase, all these 
communication messages are transmitted in secure channels. 

Login phase begins when the user inserts his/her smart card into the terminal and inputs his/her 
identity and password. After the verification of the user's input value, the smart card computes and 



Sensors 2014, 14 



6446 



sends the authentication request to the gateway node. When the gateway node receives the 
authentication request from the user side, the authentication-key agreement phase begins. The gateway 
node verifies whether the authentication request comes from a legitimate user. If the verification is 
successful, the gateway node sends the authentication request to a sensor node which can respond to a 
request or a query from the user. In this phase, three authentication requests are transmitted. The first 
request is from the gateway node to the sensor node, the second is from the sensor node to the gateway 
node, and the final is from the gateway node to the user. As stated, when one party receives an 
authentication request, the party verifies its validity and sends a new authentication request to the other 
party. In login phase and authentication-key agreement phase, these request messages are transmitted 
in insecure channels. If all verifications are passed successfully, the user and the sensor node then 
share the session key for communication. The password change phase begins whenever the user wants 
to change his/her password. In the password change phase, the user side does not have to communicate 
with other parties. 

2.1. Registration Phase 

We describe the registration phase in this subsection, f/j selects /Dj and pwj , computes 
H_PWi = /i(pW() and sends the registration request {/Dj, /i(pwj)} to GW. Then, GW personalizes a 
smart card for Ui and sends it to f/j. Figure 1 shows the registration phase of Vaidya et al.'s scheme. 

R-1 Ui selects IDi and pw;. 

R-2 Ui computes H_PWi = h(pwi). 

Ui sends a registration request {IDi, H_PWi } to GW in secure channels (it was not mentioned 
whether the registration request from Ui to GW is sent by secure channels [12], but we 
guess that it is sent this way). 
R-3 GW computes the following when it receives the registration request from Ui. 
Ai = h{IDi\\H_PWi\\x,)®h{K) 
Bi = h{H_PWi © X,) 
Ci = Xs®h(JDs\\H_PWi) 
GW personalizes the smart card with ID^, IDi, hi:), Ai, Bi and Q. 
GW sends the smart card to Ui in secure channels. 

Meanwhile, SlDj and a secret value generated by GW are stored in Sj before it is deployed into a 
target field. 

Figure 1. Registration phase of Vaidya et al.'s scheme [12]. 

Ui GW 

Selects IDi pWj 
H_PWi = hipwi) 

Wi, H_PWi 



At = hiIDi\\H_PWi\\x,}mW 
Bi = hiH_PWi ® Xs) 
Ci = x,miIDs\\H_PWi) 
IDs, IDi. K-), Ai. Bi, Ci -> smart card 
Smart card 

,* 
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2.2. Login Phase 

The login phase begins when f/j inserts f/j's smart card into a terminal and inputs ID* and pw*. 
In this phase, f/j sends the authentication request to GW . Figure 2 illustrates the login phase of 
Vaidya et a/.'s scheme. 



L-1 f/( inserts t/j's smart card into a terminal and inputs IDl and pw;*. 
L-2 The smart card computes the following. 

H_PWl = hipwl) 

Xs = Ci®h{IDs\\H_PWn 

Bl = h{H_PWl © X,) 

The smart card compares Bl with Bj. If Bj* = B;, then the next step proceeds; otherwise, this 
phase is aborted. 

L-3 The smart card generates a random nonce RNi and computes the following. is the current 
timestamp of system. 

DIDi = hODi\\H_PWn\Xs) © KxsWRNiWW 
Mu,-G = HAi\\x,\\RNi\\TO 

Vi = RNi © X, 

The smart card sends the authentication request {DIDi, My._Q, Vi, Ti) to GW . 



Figure 2. Login phase of Vaidya et al. 's scheme [12]. 



U, GW 

H_PWi' = /i(pw,.') 

Xs = CimaDs\\H_pw;) 
b; = h{H_pw;®x,) 

DlDi = h{IDi\\HPWl\\x,mKx,\\RNi\\Ti) 
M^^.a = KAiWx.WRNiWTd 
Vi = RNi®x, 

DlDi, Mu^-G. Vi, Ti 



2.3. Authentication-Key Agreement Phase 

When GW receives the authentication request from Ui , the authentication-key agreement phase 
begins. In this phase, f/j, GW , and Sj send and receive authentication requests from one another. Figure 3 

depicts the authentication-key agreement phase of Vaidya et a/.'s scheme. The following describes this 
process in detail. 



A-1 GW checks if {Tq — T{) < AT, where Tq is the current timestamp of GW system, and AT is 
the maximum permitted transmission delay time. If {Tq — Ti) < AT , then the next step 
proceeds; otherwise, this phase is aborted. 
A-2 GW computes the following. 

RNi = Vi®x, 
X* =DIDi®hix,\\RNi\\Ti) 
Mu,-c* = h{(X* © hiK))\\Xs\\RNi\\Ti) 
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GW compares Mu^_q with Mu._e . If Mu^_q = Mu^_q , then the next step proceeds; 

otherwise, this phase is aborted. 
^.3 GW computes MQ_Sj = h(DIDi\\SIDj\\Xs\\TQ). Tq is the current timestamp of GW system. 

Sj is the nearest sensor node that can respond to t/j's request. 

GW sends the authentication request {DIDi, MQ_sp Tq } to Sj. 
A-4 GW checks if (Tj — Tq) < AT, where Tj is the current timestamp of Sj system. 

If (Tj — Tq) < AT, then the next step proceeds; otherwise, this phase is aborted. 
A.5 Sj computes Mq_s* = h{DlDi \ \SIDj \\Xs\\Tq). 

Sj compares Mq_s* with MQ_Sj- If ^G-Sj* — ^g-Sj' then the next step proceeds; otherwise, 

this phase is aborted. 
A-6 Sj generates a random nonce RNj and computes the following. 

yi = RNj © X, 

Msj-G = hiZi\\Xs\\Tj) 
Sj sends the authentication request {y;, Ms.-q, Tj} to GW . 
A-7 GW checks if {Tq ' — Tj) < AT, where Tq ' is the current timestamp of GW system. 

If {Tg ' ~ Tj) < AT, then the next step proceeds; otherwise, this phase is aborted. 
A-8 GW computes the following. 

RNj = © X, 
zl = Mq_s. © RNj 
Ms.-Q* = h{zl\\Xs\\Tj) 
GW compares Ms—q* with Mg.-Q . If Mg.-Q* = Mg.-Q , then the next step proceeds; 
otherwise, this phase is aborted. 
A-9 GW computes the following. 

Mc_„. = KDlDi\\MQ_s.\\M^j._Q\\Xs\\TQ^ 

Wi = Z- 0 Xs 

GW sends the authentication request [yi, Wi, MQ_y., Tq '} to Ui. 
A- 10 Ui checks if {Ti — Tq') < AT, where Ti ' is the current timestamp of Ui system. 

If {Ti — Tq') < AT, then the next step proceeds; otherwise, this phase is aborted. 
A-1 1 The smart card computes the following. 

RNj =yi®Xs 

Zl = W; © Xs 

MQ_Sj = zl © RNj 

Mq_u; = h{DIDi\\MQ_Sj\\Mu,-G\\Xs\\TQ) 
The smart card compares Mq_u.* with Mq_jj. . If Mq_u* = Mq_u. , then mutual 
authentication between Uj and Sj is completed successfully; otherwise, this phase is aborted. 

A-12 The smart card computes Kg = f{{piDi\\RNj), x^) to obtain a session key for 
communication with Sj. Meanwhile, Sj also computes Ks = f({DIDi \ \ RNj), Xj) to share a 

session key with Uj. 
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Figure 3. Authentication-key agreement phase of Vaidya et al.'s scheme [12]. 

Ui GW Sj 

(To-Ti) <?AT 
RNi = Vi®x, 

X' = DlDi®h{xA\RNi\\Tt) 

= h{{X-m{KmXs\\RNi\\Ti) 

Mas, = h{DWMSWj\\x,\\Ta) 

DlDi,Ma.s,.Tc 

{Tj-Ta) <?AT 

Mas,' = KoiDiWSIDjWxAlTa) 
Ma-sj' Ma-sj 

Zi =Ma-Sj'®RNj 
Ms,-a = hiztWXsWTj) 
yi,Ms,-G.Tj 

(Tc'-Tj) <?AT 
RN,=yi®x, 
z; =Mc-SjmNj 
Msj-g' = hizr\\x,\\Tj) 
Msj-c' =T Ms,-c 

Mo-v^ = KDIDMMa-s,\\Mu,-a\\xA\TG') 
yi,Wi,Mc_u.,Tc' 

(Ti'-Tc') <?Ar 
RN,=yi®Xs 

Z,' = Wiffi^s 

Mg-Sj = zr^RNj 

Mo-v; = h{DIDMMo-s,mu,-G\\xA\TG') 

= f{{DWMRNj),Xs) = fi{DIDt\\RNj),x,) 

Response to Uj's query / 
"* secure data transfer 

2.4. Password Change Phase 

The password change phase proceeds when Ui changes f/j's existing password to a new one. In the 
password change phase, Ui does not communicate with GW. 



P-1 Ui inserts Ui's smart card into a terminal and inputs ID-, pw-, and pw^;. pw^; is Ui's new password. 
P-2 The smart card computes the following. 

H_PWi = h(pwl) 

x, = Ci®hOD,\\H_PWi*) 

B*i = h{H_PWl © X,) 

The smart card compares Bl with Bj. If B,* = B;, then the next step proceeds; otherwise, this phase 
is aborted. 

P-3 The smart card computes the following. 
H_PWni = hipwni) 

A^i =Ai® hODi\\H_PWi*\\x,) © hODi\\H_PWr,i\\x,) 
Br^i = h{H_PW^i © X,) 

Cni=X,®h{lD,\\H_PWr,i) 
The smart card replaces the existing values Aj, Bj, and Q with the new values Ajij, Bj^j, and C^^. 
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3. Security Analysis of Vaidya et a/.'s Scheme 

In this section, we analyze the security of Vaidya et al. 's scheme. We found that gateway node 
bypassing attacks are possible in Vaidya et a/.'s scheme if an attacker captures a sensor node 
and extracts secret values stored in it. Additionally, an attacker can know secret values Xg and h(jC) 
from the attacker's own smart card and use them for user impersonation attacks or gateway node 
bypassing attacks. 

In Sections 3.1-3.3, we describe possible attacks in Vaidya et al.'s scheme in detail. We assume 
that an attacker can eavesdrop on or intercept all messages sent or received between communication 
parties. We also assume that an attacker can read data stored in a smart card in any manner like in the 
related works [2,6,13-16]. In addition, we have to note that data stored in sensor nodes are not secure 
since an attacker can capture sensor nodes that are deployed in unattended environments and can then 
extract data from them. 

3.1. Gateway Node Bypassing Attacks Using Secret Data Stored in a Sensor Node 

In Vaidya et al.'s scheme, if an attacker extracts the secret data from a sensor node, he/she can 
impersonate GW and communicate with t/^. These attacks proceed as explained below, t/^ denotes an 
attacker here. 

Step 1 Ua extracts Xg and SIDj from a sensor node captured in the WSN. 

Step 2 Login phase begins when Ui wants to access to the WSN as in Section 2.2. 

When Ui sends the authentication request {DlDi, My._Q, Vi, Tj} to GW , Ua 

eavesdrops on it. 

Step 3 computes the following using Xg, SIDj and {DIDi, My._Q, Vi, TJ. T,^ and T^^' 

denote the current timestamp of {]„ system, and Tf^ < T^'. generates a random 
nonce RN^^. 



Mo-Sj = KDIDi\\SIDj\\Xs\\T^) 

Wj = Z- © Xs 

Mc-u, = KDIDi\\Mc-Sj\\Mu,-G\\Xs\\Ta') 



forges the authentication request sent from GW to Ui in authentication-key 



agreement phase using {y;, W;, Mc-y^, T'a'}- 



Step 4 



When Ui receives {yi, Wj, Mq_u , T^^ } from Ua, Ui checks if (Ty ' - T^O < AT , 



where ' is the current timestamp of f/j system. If (Ty ' — Tq. ') < AT, then the next 



step proceeds; otherwise, this phase is aborted. 



Step 5 



The smart card computes the following. 

RN^ = yi®x, 

z- = Wi © Xs 

Mg-v* = h[DlDi\\Ma_s.\\M^j._a\\Xs\\Ta) 
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The smart card compares Mq_u. with Mq_u^ . Since M(;_y. = Mc_y. , Ui regards 
{yi , W( , Mq_u^, T^'} as being transmitted from GW . Therefore, U^^ can 
communicate with Ui using the session key = f ({PI DiWRNf^}, Xs) . 

3.2. User Impersonation Attacks Using an Attacker's Own Smart Card 

If an attacker U^c registers with GW, f/^. receives the smart card personalized with U^'s, own identity 
and password, /Dq, and pw^. can compute and h{K) using ID^^, pw^, and secret values stored in 
the smart card. 

Step 1 As shown in the Section 2.1, selects ID^ and pw^. 
Step 2 Ua computes H_PWa = h(pWa)- 

Ua sends the registration request [IDf^, h(pWa)} to GW. 
Step 3 GW computes the following when it receives the registration request from Ua. 
Aa = hODa\\H_PWa\\Xs) ® hiK) 
B„ = HH_PW„ © X,) 
Ca=Xs®KIDs\\H_PWa) 
GW personalizes the smart card with ID^, IDf^, /i(-), A^, and Cq.. 
GW sends the smart card to ■ 
Step 4 Ucc reads IDg, ID^, A^^, B^, and from the smart card. 

Ucc can know Xg and h^K) by computing the following. 
Xs = C^ehOD,\\H_PW„) 
HK) =A^e hjlDg II H_PWa II Xs) 

J/q. can impersonate a legitimate user who has registered with GW using Xg and h{K^. In addition, 
Ucc can also log in with any temporary identity that does not actually exist. 

3.2.1. Logging in with Any Temporary Identity 

We describe the process where t/^ logs in with any temporary identity that does not actually exist 
using Xs and h(K). 

Step 1 selects any temporary identity and password IDp and pwp . computes the 

authentication request as follows. denotes the current timestamp of 0^ system, and RN^ 
is a random nonce generated by f/^^. 
H_PW^ = h{pwp) 

Ap = h{lDp \\H_PW^ \\Xs)® HK) 

DIDp = h{lDp II H_PW*p II X,) © h{x, WRN^W 

Mvp-G=h{Ap\\Xs\\RNa\\Ta) 
Vp = RNa © Xs 

Ucc sends the authentication request {DID^, My^_Q, vp, Ta\ to GW . 

Step 2 When GW receives the authentication request, GW checks if {Tq — Tq.) < AT, where Tq is 
the current timestamp of GW system. If {Tq — T^^) < AT, then the next step proceeds; 
otherwise, this phase is aborted. 
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Step 3 GW computes the following. 

X* =DlDp®hiXs\\RNa\\Ta) 

Mvp-G* = h{{X* e h(K))\\Xs\\RN„ \\T„) 
GW compares My^_Q with Mu^_q*. GW regards {DlDp, My^_Q, Vp, T^} as being sent from 
a legitimate user because My c = My q*. 



3.2.2. Logging in with the Identity of a Legitimate User 

We describe when impersonates a legitimate user f/j who has registered with GW using 
and h(,K). 



Step 1 In the previous session, when Ui sends the authentication request [DIDi, My._g, Vi, Ti] to 

GW as shown in Section 2.2, eavesdrops on it. 
Step 2 Ua computes the following. RNa is a random nonce generated by f/^ . Tq. is the current 

timestamp of system. Xg and h{K) are already known to Ua, as mentioned above. 

RNi = Vi®Xs 

hQDi\\H_PW*\\x,') = DIDi © Kx,\\RNi\\Ti) 
DIDt = hODi\\H_PWn\Xs) © Kx.WRNaWW 
Ai = hODi\\H_PWi*\\Xs)®hiK) 
Mu,-G = HAi\\x,\\RNJ\Ta) 
Vi = RNa © Xs 

Ua sends the authentication request {DIDi, My._Q, Vi, T^} to GW. 
Step 3 When GW receives {D/Dj, My._c, Vi,Ta},GW checks if (Tg - Tq.) < AT, where Tq is the 
current timestamp of GW system. If {Tq — T^^ < AT, then the next step proceeds; otherwise, 
this phase is aborted. 
Step 4 GW computes the following. 

RNa = Vi®Xs 

X* = DIDi®h(ix,\\RNa\\Ta') 

My._a* = h{{X* e hiK))\\Xs\\RNa ||r„) 

GW compares My._Q with Mij._q*. GW regards {DIDi, ^Ui-G' ^i, T^} as being sent from a 
legitimate user because My. _g = My._Q*. 



3.3. Gateway Node Bypassing Attacks Using an Attacker's Own Smart Card 

As discussed in Section 3.2, if an attacker {]„ obtains and h(^K) using data stored in his/her own 
smart card, he/she can impersonate GW. The following shows the attack process in detail. (]„ denotes 
an attacker here. 

Step 1 Login phase begins when Ui wants to access the WSN as described in Section 2.2. 

When Ui sends the authentication request [DIDi, My._Q, Vi, to GW, U^ eavesdrops on 

the transmission. 
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Step 2 computes the following using and [DIDi, Mu._q, Vi, TJ. and T^' denote the 

current timestamp of Tq. system, and T(^<T(^' .U^ generates a random nonce RN(^. SID(^ is 
created by Ua- 

yi = RNa © Xs 

Mo-sj = KDIDi\\SID„\\Xs\\T„) 

Wi = Z- 0 Xs 

Mc-ut = h(iDIDi\\Mo-sj\\Mv,-G\\Xs\\Ta') 
Ucc forges the authentication request sent from GW to Ui in authentication-key agreement 
phase using [yi, Wi, Mc-vi, Ta'}- 
Step 3 When Ui receives {yi, Wi, Mg_u., r„'} from Ui checks if (Ty' - r„') < AT, where Ty' is 
the current timestamp of Ui system. If (Ty' — T^^') < AT, then the next step proceeds; 
otherwise, this phase is aborted. 
Step 4 The smart card computes the following. 
RNa =yi®Xs 

Z- =Wi®Xs 

Mc-sj = z*i © RNa 

Mg-v* = h{DWi\\MG-Sj\\Mu^-G\\Xs\\Ta') 
The smart card compares Mg-ui with Mg-u* ■ Since Mg-ui = ^g-u*^ regards {y;^ Wj^ 
Mg-Ui.Tcc'} as being transmitted from GW . Therefore, can communicate with Ui using 
the session key Ks = fiiDIDj \ IRN^), x^). 

4. The Proposed Scheme 

In this section, we propose an improved scheme that can overcome the security weaknesses 
presented in Section 3. The reason why Vaidya et aVs scheme is vulnerable to sensor node capture 
attacks is that is stored in plaintext form in Sj though it is a secret value. To make matters worse, 

is shared between all sensor nodes in the WSN. Also, in Vaidya et al.'s scheme, an attacker can 
compute and use x^ and h(^K) for attacks because they are stored in all users' smart cards. Therefore, 
the main ideas of our proposed scheme are as follows: 

■ When GW personalizes a smart card for Ui in the registration phase, GW uses XSi = 
h(H_IDi\\Xs) and h(H_IDi\\K) instead of Xg and h{K) to prevent an attacker from computing 
Xg or h(K). Since Xsi and h{HJDi \ \K^ are unique for each user, an attacker cannot reuse them 
to impersonate a legitimate user. 

■ In the proposed scheme, Xs^ = h{SlDj\\Xs) instead of x^ is stored in Sj to prevent an attacker 
from extracting x^ from Sj . Since XsJ is unique for each sensor node, we can attenuate the 
effects of sensor node capture attacks as much as possible. 

We describe each phase in detail in Sections 4.1 through 4.4. Before describing the proposed 
scheme in detail, we present the security requirements for the proposed scheme. 

■ The proposed scheme has to be secure against possible attacks such as replay, password 
guessing, user impersonation, gateway node bypassing and parallel session attacks. 
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■ The proposed scheme has to minimize the damage caused by sensor node capture attacks. The 
authentication scheme cannot be a perfect solution that blocks sensor node capture attacks 
completely. Nevertheless, the proposed scheme should attenuate the effects of sensor node 
capture attacks as much as possible. 

■ We assume an attacker can obtain all data from a smart card. Therefore, our proposed scheme 
has to be devised considering stolen smart card attacks, lost smart card problems, and attacks 
that use an attacker's own smart card, as shown in Section 3. 

■ The proposed scheme must be secure against privileged- insider attacks or stolen- verifier attacks. 

■ The proposed scheme has to provide methods for mutual authentication, key agreement between 
f/j and Sj, and password change. 

4.1. Registration Phase 

In the registration phase, f/j selects /Dj and pw^. Ui computes and sends the registration request 
{/Dj, /i(pWj||i?iVj.) } to the gateway node, where i?iVj. is a random nonce. Then, GI/K personalizes a 
smart card for f/j. Figure 4 illustrates the registration phase of the proposed scheme. Meanwhile, SlDj 
and Xsy are stored in Sj, where Xs^ = h{SlDj \ \Xg) before Sj is deployed into a target field. 



R-1 Ui selects IDi and pw;. 

R-2 L/j generates a random nonce RNy and computes H_PWi = h(j)Wi \\RN^). 

Ui sends the registration request [IDi, H_PWi } to GW in secure channels. 
R-3 GW computes the following when it receives a registration request from f/j. 
H_IDt = h(iIDi\\K) 
XSi = hiHJDi\\Xs) 
Ai = hiH_PWi\\XSi) e hiHJDiWK) 
Bi = h{H_PWi © Xs{) 
Ci=XSi®hl,ID,\\H_PWd 
GW personalizes the smart card with ID^, H_IDi, /i (■),>!;, 6; and Q. 
GW sends the smart card to f/; in secure channels. 
R-4 Uj computes X_PWi = h{pwi) @ RNy and adds X_PWi to the smart card. 



Figure 4. Registration phase of the proposed scheme. 



Selects IDj and pw; 
H_PWi = hipWiWRNr) 



GW 



IDi.H PWi 




HJDi = h(IDi\\K) 
XSi = hiHJDi\\x,) 
Ai = hiH_PWi\\XSi)®h(H_IDi\lK) 
Bi = hiH_PWi © XSi) 
Ci = XSim{lD,\\H_PWi) 
IDs, HJDi, h(-), Ai, Bi, Ci smart card 
Smart card 

7^ 



X_PWi = h(pwi) ® RNr- 
X.PVVj-* smart card 
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4.2. Login Phase 



The login phase begins when f/j inserts f/j's smart card into a terminal and inputs ID* and pw*. 
In this phase, f/j sends the authentication request to GW . Figure 5 depicts the login phase of the 
proposed scheme. 



L-1 


[/( inserts t/j's smart card into a terminal and inputs IDl and pw;*. 


L-2 


The smart card computes the following. 




RN; = h{pwl) © X_PWi 




H_PWl = h{vwl\\RN;) 




Xsl = Ci®hOD,\\H_PWi*) 




Br = hiH_PWi © Xsl) 




The smart card compares Bl with B^. If Bl = B^, then the next step proceeds; otherwise, this 




phase is aborted. 


L-3 


The smart card generates a random nonce RN^ and computes the following. is the current 




timestamp of f/; system. 




D/D; = h{H_PW:\\Xsl) © h{Xsl\\RNi\\TC 




Mij^_^ = KA^\Xsl\\RN,\\Tr) 




= RNi © Xsl 




The smart card sends the authentication request [DIDi, My._Q, Vi, Ti, HJDi } to GW. 



Figure 5. Login phase of the proposed scheme. 

rn; = /i(pw*) © x_pw^ 

H_PW* = h(pw*\\RN;) 

xs; = Cim(iDA\H_pw;) 
b; = h{H_pw:msO 

B; =7Bi 

DIDi = h(H_PW;\\Xsl)®h(Xs;\\RNi\\Td 
Mu.^G ^ hiAi\\Xs;\m\\Td 
Vi = RNimsl 

DIDi,Mu,-c.Vi,Ti,HJDi 



4.3. Authentication-Key Agreement Phase 

When GW receives an authentication request from f/j , the authentication-key agreement phase 
begins. In this phase, f/j, GW, and Sj send and receive authentication requests from one another. Figure 6 

shows the authentication-key agreement phase of the proposed scheme. The following describes this 
process in detail. 



GW 
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A-1 GW checks if {Tq — T{) < AT, where Tq is the current timestamp of GW system. 

If (Tg ~ Ti) < AT, then the next step proceeds; otherwise, this phase is aborted. 
^"2 GW computes the following. 

XSi = hiH_IDi\\x,) 

X* = DIDi®h(XSi\\RNi\\TO 

Mui-G* = h[{X* e h(H_IDi\\K))\\XSi\\RNi\\Ti) 

GW compares My._c* with Mu._q . If Mg._Q* = My.^Q , then the next step proceeds; 

otherwise, this phase is aborted. 
A-3 GW computes the following. T^ is the current timestamp of GW system. Sj is the nearest 

sensor node that can respond to i/i's request. 
Xsj = h(SIDj\\Xs) 
Mg-sj = KDIDi\\SIDj\\Xsj\\To) 
GW sends the authentication request [DIDi, Mq_sp } to Sj. 
A-4 GW checks if (Tj — Tq)< AT, where Tj is the current timestamp of Sj. 

If (Tj — Tq) < AT, then the next step proceeds; otherwise, this phase is aborted. 
A.5 Sj computes Mcs* = K^^Di \ \SIDj \ \Xs; \\Tc). 

Sj compares Mq_Sj* with MQ_Sj- If ^g-s/ — ^g-Sj' then the next step proceeds; otherwise, 
this phase is aborted. 
A-6 Sj generates a random nonce RNj and computes the following. 
yj = RNj © Xs* 
Zi = Mo-sj* ® RNj 
Msj-G = Kz^WXsJWTj) 
Sj sends the authentication request [yi, Msj-g, Tj } to GW. 
A-7 GW checks if (Tq' — Tj) < AT, where Tq' is the current timestamp of GW. 

If (Tg' — Tj)<AT, then the next step proceeds; otherwise, this phase is aborted. 
A-8 GW computes the following. 

RNj = yj © XSj 

= Mg-sj © RNj 
Msj-G* = h{zt\\Xsj\\Tj) 
GW compares Ms~g* with Msj-g ■ If Mg.-G* = Msj-g , then the next step proceeds; 
otherwise, this phase is aborted. 
A-9 GW computes the following: 

MG-Ut = KDIDi\\MG-sj\\Mvi-G\\XSi\\TG') 

Wi = zl © Xsi 
yi = RNj®XSi 

qj = XSj © RNj 

GW sends the authentication request [yt, Wi, Mg-Ui, Qj, Tg'} to Ui. 
A-10 Ui checks if (7;' - Tc') < AT, where 7/ is the current timestamp of i/j. If (T/ - Tg') < AT, 
then the next step proceeds; otherwise, this phase is aborted. 
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A-1 1 The smart card computes the following: 
RNj = © Xs^ 

M*o-Sj = z: ® RNj 

Mg-u* = h(DlD,\\M*G-Simv,-G\\XSi\\T^') 
The smart card compares Mq_u* with Mc_y. . If M(;_u* = M(;_ij. , then mutual 
authentication between f/; and SNj is completed successfully; otherwise, this phase is aborted. 
A- 12 The smart card computes the following to get a session key for communication with5y. 
Meanwhile, Sj also computes = f(^{DIDi\\RNj),XSj^ to share a session key with Ui. 

Xsj = qj © RNj 

Ks = fUDIDi\\RNjlXSj) 



Figure 6. Authentication-key agreement phase of the proposed scheme. 

Ui GW Sj 

(K,x^) (SIDj.Xsp 

{Jo-Ti) <7AT 

XSi = HHJDiWXs) 

RNi = Vi®XSi 

X' = DIDimaXSiWRNiWTi) 

Mu^.g' = h{iX'm(HJDi\\KmXsi\\RNt\\Ti) 

Mu^-g' =1Mu^-g 

Xsj = h(SIDj\\x,) 

Mg-Sj = HDlDiWSIDjWXsjWTG) 

DIDj.MG-Sj.TG 

(Tj-Ts) <?AT 

Mg-s; = h{DIDi\\SIDj\\XsJ\\TG) 
Mg-s/ =TMG-Sj 
yj = RNj®Xs^ 
Zl =Ma-Sj'®RNj 
Ms^.a = hiZi\\Xs;\\Tj) 

(TG'-Tj)<?AT 
RNj = yj®Xsj 
Zi* = Ma-s^mNj 
Ms^-a' = h{zr\\Xsj\\Tj) 
Ms^-g' =?Msj-g 

Mg-v, = KDlDi I \Mg-s, WMu^.g I \XSi \\Tg') 
Wi = z*®XSi 
yi = RNj®XSi 
qj =Xsj®RNj 
yi.Wi.Ma.u.,qj,Ta' 

{V-Tg') <?Ar 
RNj=yi®XSi 
z; = Wi®XSi 
MG.s^=z;mNj 

Mg-u; = h{piDi\\M'G.s^\\Mu^.G\\XSi\\TG') 

Mc-uj* ='?Mg-Ui 
XSj = qj®RNj 

Ks = f{iDIDi\\RNj),Xsj) Ks = f((DIDt\\RNj).Xsj) 

Response to Uj's query / 
secure data transfer 
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4.4. Password Change Phase 

The password change phase proceeds when Ui changes f/j's existing password to a new one. In the 
password change phase, f/j does not have to communicate with GW. 

P-1 f/( inserts its smart card into a terminal and inputs IDl, pw^ and pw„i. pw^i is Ui's new password. 
P-2 The smart card computes the following. 

RN; = h(pw*) © X_PWi 

H_PW* = h(pw*\\RN;) 

Xsl = Ci®hODs\\H_PWi) 

Bl = h{H_PW- © XsD 

The smart card compares Bl with B^. If Bl = B^, then the next step proceeds; otherwise, this phase 
is aborted. 

P-3 The smart card computes the following. 

H_PWr,i = KpWr,i\\RN;) 

Ani =M® h{H_PWl\\Xsl) 0 h{H_PWni\\Xsl) 
Br,t = h(H_PWr,i®Xsl) 
Cr,t=Xsieh(iID,\\H_PWr,t) 

The smart card replaces the existing values Ai, Bi and Q with the new values v4^t, and C^^ . 

5. Security Analysis of the Proposed Scheme 

This section is devoted to the security analysis of our proposed scheme. We discuss the security of 
our proposed scheme in terms of the security requirements presented in Section 4. Table 2 shows a 
security comparison of the proposed scheme. 



Table 2. Security comparison of the proposed scheme. 



Security Features 


Das' 
Scheme [3] 


Khan and Alghathbar's 
Scheme [4] 


Vaidya etaVs 
Scheme[12] 


The 
Proposed 
Scheme 


Replay attacks 


Yes 


Yes 


Yes 


Yes 


User impersonation attacks 


No 


No 


No 


Yes 


Gateway node bypassing attacks 


No 


No 


No 


Yes 


Parallel session attacks 


No 


No 


Yes 


Yes 


Password guessing attacks 


No 


No 


Yes 


Yes 


Sensor node capture attacks 


No 


No 


No 


Yes 


Stolen smart card attacks 


No 


No 


Yes 


Yes 


Lost smart card problems 


No 


No 


Yes 


Yes 


Privileged-insider attacks 


No 


Yes 


Yes 


Yes 


Stolen-verifier attacks 


Yes 


Yes 


Yes 


Yes 


Mutual authentication 


No 


No 


Yes 


Yes 


Key agreement 


No 


No 


Yes 


Yes 


Password change phase 


No 


Yes 


Yes 


Yes 



(Yes: The scheme resists the attacks or provides the functionality; No: The scheme does not resist the attacks 



or provide the functionality). 
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■ Replay attacks: The proposed scheme resists replay attacks because all authentication requests 
include current timestamps, such as Tj of {DIDi, ^Ui-C' '^u Ti, HJDi). 

■ User impersonation attacks and gateway node bypassing attacks: In the proposed scheme, 
an attacker cannot create valid authentication requests {DIDi > ^Ui-g > > '^o ^J^i) 
{yi, Wi, MQ_y., qj, Tq'} because he/she cannot compute the secret data Xg and h(^K). Therefore, 
user impersonation attacks and gateway node bypassing attacks are impossible. 

■ Parallel session attacks: The proposed scheme is secure against parallel session attacks 
because all authentication requests include random nonces such as DIDi , My._Q and Vi of 
{DIDi,Mu,-G,Vi,Tt,HJDt}. 

■ Password guessing attacks: pwi cannot be guessed by an attacker because it is transmitted as 
the results which are concatenated with some secret values and one-way hashed. Even a 
privileged-insider cannot guess Ui's password from the registration request {IDi, H_PWi} 
because RN^. in H_PWi = h(pwi \\RNj.) is a unknown value to him/her. 

■ Sensor node capture attacks: Though an attacker captures a sensor node and obtains secret 
data SIDj and XsJ from it, the attacker cannot impersonate f/j, GW, or other sensor nodes. Since 
XsJ is the unique secret data only for Sj, an attacker cannot compute Xsi for Ui or for GW. 
In addition, he/she cannot compute the secret data of other sensor nodes except Sj. 

■ Stolen smart card attacks and lost smart card problems: Though an attacker extracts ID^, 
HJDi, /i(-), Ai, Bi, Ci, and X_PWi from Ui's smart card, he/she cannot compute any secret data 
h(^K) or Xg for attacks. Therefore, the proposed scheme is secure against stolen smart card 
attacks or lost smart card problems. In addition, though an attacker extracts ID^, HJD^, /i(0, 
i4Q., 5q., Cq,, and X_PWa from his/her own smart card, he/she cannot compute any secret data 
h{K) or Xg for attacks. Therefore, the proposed scheme prevents attacks using an attacker's own 
smart card. 

■ Privileged-insider attacks: The proposed scheme resists privileged-insider attacks because pWi 
is transmitted as a digest of some other secret components. 

■ Stolen- verifier attacks: The proposed scheme is secure against stolen-verifier attacks, since 
GW does not maintain a verifier table. 

■ Mutual authentication, key agreement, and password change phase: The proposed scheme 
provides mutual authentication, key agreement between Ui and Sj, and password change phase. 

6. Performance Analysis of the Proposed Scheme 

Table 3 shows the computation cost comparison of the proposed scheme. Das' scheme [3], Khan 
and Alghathbar's scheme [4], Vaidya et a/.'s scheme [12], and the proposed scheme use only hash and 
XOR operations. We compare these schemes in terms of the number of hash and XOR operations. The 
proposed scheme needs seven hash operations more than Vaidya' s et al.'s [12]. Nevertheless, one of 
our main concerns is the computation cost of a sensor node rather than that of the entire scheme, 
because sensor nodes are resource-constrained. The computation cost of Sj in the proposed scheme is 

the same as that of Vaidya et al.'s [12]. This means that the computation cost increase of the entire 
scheme is negligible considering the enhanced security. Meanwhile, with respect to communication 
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cost, the number of messages transmitted in the proposed scheme is four, which is the same as that of 
Vaidya et al.'s scheme. 

7. Conclusions 

We have proposed an improved mutual authentication and key agreement scheme to overcome the 
security weaknesses of Vaidya et a/.'s scheme. The proposed scheme resists user impersonation 
attacks and gateway node bypassing attacks using secret data stored in an attacker's own smart card or 
a sensor. In addition, the proposed scheme prevents possible attacks such as replay attacks, parallel 
session attacks, password guessing attacks, sensor node capture attacks, stolen smart card attacks, lost 
smart card problems, privileged-insider attacks, and stolen-verifier attacks. The proposed scheme is also 
efficient in terms of computation and communication cost considering the limited resources of sensors. 



Table 3. Computation cost comparison of the proposed scheme. 



Phases 




Das' Khan and Alghathbar's Vaidya et al. 's 

Scheme [3] Scheme[4] Scheme [12] 


The Proposed 

Scheme 




Ui 


0 


IH 


IH 


2H+ IX 


Registration phase 


GW 


3H+ IX 


2H+ IX 


4H + 3X 


6H + 3X 




Si 


0 


0 


0 


0 




Ui 


3H+ IX 


3H+ IX 


6H + 4X 


7H + 5X 


Login phase 


GW 


0 


0 


0 


0 




Si 


0 


0 


0 


0 




Ui 


0 


0 


1H + 3X 


1H + 4X 


Authentication and 












key agreement phase 


GW 


4H + 2X 


5H + 2X 


6H + 6X 


8H + 8X 












Si 


IH 


2H 


2H + 2X 


2H + 2X 




Ui 




3H + 2X 


8H + 6X 


9H + 7X 


Password change 


GW 




0 


0 


0 


phase 












Si 




0 


0 


0 


Total 




11H + 4X 


16H + 6X 


28H + 24X 


35H + 30X 



(H: The number of hash operations; X: The number of XOR operations). 
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